IFrames Resurface as Popular Attack Vector for Hackers
Security experts warn of rise in "poisoning" of thousands of Web pages via iFrame exploit.
There was a time when end users and IT shops could avoid remote code execution
exploits by simply patching vulnerable applications, staying away from questionable
URLs and not opening suspicious e-mail attachments.
But security experts warn that this period may be coming to an end, particularly
in light of recent widespread attacks against several hundred thousand Web pages
and what one researcher, Dancho Danchev, called the "poisoning"
of more than a million search queries with loadable inline frames, or what's
commonly known as iframes.
"What we're seeing is an old idea -- hacking for profit -- with a relatively
recent distribution point, the iframe," said Don Leatham, senior director of
solutions at Scottsdale, Ariz.-based Lumension Security. "The hackers are able
to set the expectation that you're on a trusted site that is recommending you
download a particular software or directing you to bogus address, anything to
reel you in and then use the old Trojan uploads like .Zlob."
The recent attacks, which began in the beginning of March and continued through
last week, affected some of the Web's most frequented destinations, including
CNET.com, ABC News' homepage, Walmart.com and others.
Hackers have done this sort of thing in the past through phishing or "masquerade
ball" attacks using, for example, URLs that are off by one letter or Web
pages that pose as legitimate sites linking to eBay or PayPal. But observers
say this new approach is different and more effective because the user is tricked
into thinking they've never left their trusted Web address.
This is because iframes are hypertext mark-up language (html) elements that
enable hackers to embed specially crafted and malicious Web-language-based files
inside a seemingly benign Web interface. The iframes are supposed to be used
to subdivide content of a given Web site. One of the more common uses of iframes
is creating an advertisement or sidebar URL that might pop up on a homepage
without one having to leave that homepage.
Security practitioners say such attacks are especially effective in browsers
such as Internet Explorer.
"This is concerning because this could impact a user if they visit what they
believe to be a legitimate Web site or search engine," said Eric Schultze, chief
technology officer of St. Paul, Minn.-based Shavlik Technologies. "Users have
thus far been conditioned to be careful when visiting potentially questionable
Web sites. Now that legitimate Web sites are being impacted, you can no longer
mitigate the risk by saying 'be careful where you surf.'"
Both Schultze and Lumension's Leatham said they would encourage enterprise
security specialists to lock down the network at the firewall level, confining
workstations only to sites that are pertinent to business in the event all else
Meanwhile, for managers of computer processing environments who wish to take
a less stringent approach, keeping up with the latest anti-virus and anti-malware
signatures as well as patches, such as those form Microsoft, is also a good
"It's a good bet that we'll see a lot more of this style attack in the future,"
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.